Whether public, private or hybrid clouds, whether SaaS, IaaS or PaaS: All these cloud computing approaches are differing in particular with respect to the question, whether the processing sites/parties can be determined or not, and whether the user has influence on the geographical, qualitative and infrastructural conditions of the services provided.
Therefore, it is difficult to meet all compliance requirements, particularly within the fields of data protection and data security. The decisive factors are transparency, controllability and influenceability of the service provider and his way of working. Problems arise so far in particular with respect to the public cloud.
In order to avoid liability risks and to achieve a better perspective on business continuity, it is in your interest as the contractor to remain „master of the data“.
Some existential needs arise from this:
1. Open, transparent and detailed information from the service provider about its technical and organizational measures and the legal framework of services.
This is usually the case in practice. However, seen from your perspective as the service contractor, it is not always verifiable to a degree required by the relevant laws in order to avoid you to be liable for errors originally committed by the service provider while providing the services.
Challenge your Service Provider for his documentation of technical and legal measures. Don't expect him to be sufficient just because he is representing a large organization or is offering the best price on the market.
2. The implementation of coordinated security measures on the part of cloud providers and cloud users.
In order to comply with local legislation and your own corporate policies, cloud providers need to apply more than just their own rules to the services provided to you. As usually seen in practice, providers do have difficulties to move beyond their own terms and conditions and listen to your legal and corporate needs.
If the Service Provider does not offer to customize the terms of delivering his services to your needs, it's not your Service Provider.
3. Transparent and clear service and data protection agreements (Controller-to-Processor Agreements), in particular with a regulation respective the site of the data processing and the notification of any change of location.
The contractual dimension decides on the compliance of the use of cloud services and gains in the wake of a non-European cloud again immensely in importance.
Have all contractual documents checked professionally. You will not be able to estimate the legal implication unless you're an expert in international data protection laws. If you accept the wrong legal contracts, it will be your liability whatever the service provider decides to do with your data.
4. The submission of current certificates relating to the relevant technical infrastructure.
The certificates should ensure information security as well as portability and interoperability through independent testing organizations. There are sometimes certificates awarded that affect only parts of the necessary measures.
Don't trust certificates as if there were given by god. The idea of a certificate is not to allow you stop thinking. Make up your own mind and don't blindly follow the mainstream.
5. The problem with cloud services involving non-EEA countries is that - in particular U.S.-American - authorities sometimes access personal data / Personal Identifiable Information (PII) without any legal cause (according to a European perspective) and without complying to the principles of proportionality and purpose limitation on personal data / PII.
These accesses imply a data protection violation committed by the European contractor – not necessarily the international cloud service provider – against employees, customers and other service providers.
If only one of your companies is based within the EU, you have to be aware of the fact, that it is much harder and often even impossible for your company to remain compliant with the data protection laws if your service provider is placed outside the EEA. On the economic side, this means that you either have to add the risk of damages and fines from non-compliance to your ROI calculation, which could easily turn it upside-down, or stay with service providers placed inside the EEA.